Invoice verification rule management and maintenance skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad instruction could disable or delete invoice validation rules and affect business validation behavior.
The CLI directly performs administrative delete and enable/disable actions for validation rules. Any status other than exactly 'enabled' falls to the disable endpoint, and no confirmation or rollback guard is shown.
async 'delete-rule'(p) { ... '/admin/validateRule/delete' ... } ... const endpoint = isEnable ? '/admin/validateRule/enable' : '/admin/validateRule/disable';Require explicit user confirmation for create/update/delete/enable/disable operations, validate status values strictly, and prefer query or dry-run steps before mutation.
Installing or using the skill with a privileged token could let the agent modify validation configuration beyond what the user intended.
The skill uses an access token for API calls, while the supplied registry metadata declares no required environment variables and no primary credential. The token authorizes admin operations, so its scope and handling matter.
token: process.env.VALIDATE_TOKEN ... 'X-Access-Token': config.token
Declare the credential requirements, use least-privileged tokens, avoid production tokens unless necessary, and prefer HTTPS-only base URLs.
Users may not realize this instruction-only skill still expects local Node.js command execution.
The skill documentation asks the user to run npm/npx setup even though the registry says there is no install spec. The included package has no dependencies, so this is a disclosure/provenance note rather than evidence of malicious installation behavior.
npx vr help 2>/dev/null || (cd <skill目录> && npm install)
Review the included package files before running npm/npx, and publish an explicit install spec if setup is required.